topic Zone based firewall malfunction in Network Security

Zone based firewall malfunction

Tommy Svensson — Mon, 11 Mar 2019 20:00:18 GMT

Hi.

Im setting up a network with multiple VLANs and i want every VLAN to just access the Internet and not other VLANs. my config is misconfigured and i cant see where. I want VLAN 10 and 20 do access the services ive listed in my config on the Internet but not on other VLANs.

Regards Tommy Svensson

R1#show run
Building configuration...

Current configuration : 7381 bytes
!
! Last configuration change at 14:17:07 PCTime Thu Mar 3 2011 by iosoft
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxx
!
no aaa new-model
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.49
ip dhcp excluded-address 10.10.10.251 10.10.10.254
ip dhcp excluded-address 10.10.20.1 10.10.20.49
ip dhcp excluded-address 10.10.20.251 10.10.20.254
ip dhcp excluded-address 10.10.100.1 10.10.100.49
ip dhcp excluded-address 10.10.100.251 10.10.100.254
ip dhcp excluded-address 10.10.30.1 10.10.30.49
ip dhcp excluded-address 10.10.30.251 10.10.30.254
!
ip dhcp pool ccp-pool1
network 10.10.10.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.10.1
!
ip dhcp pool ccp-pool2
import all
network 10.10.20.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.20.1
!
ip dhcp pool Management
import all
network 10.10.100.0 255.255.255.0
domain-name Tedact.local
dns-server 192.168.98.2
default-router 10.10.100.1
!
ip dhcp pool AP
import all
network 10.10.30.0 255.255.255.0
domain-name Tedact.local
dns-server 192.168.98.2
default-router 10.10.30.1
!
!
no ip bootp server
ip domain name tedact.local
ip name-server 192.168.98.2
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-530346110
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-530346110
revocation-check none
rsakeypair TP-self-signed-530346110
!
!
crypto pki certificate chain TP-self-signed-530346110
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35333033 34363131 30301E17 0D313130 32323430 37323030
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 30333436
31313030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CCC4DE13 6476A2A0 B05D718B BDA1BB42 953FED57 2F37490D BEF58A1B 8F4774A0
17F52B83 A48A59BC 46F1BFBA 68D2BBE3 66A40219 8B6FB14E 96424551 4AFB4598
C2F0E9DA 53946559 767A6468 88253DDF B42DEFA3 EF0693F2 E2B77B24 2EFD3F6C
620E1F33 3B994749 A9C1F5A9 63821FD4 0A0C808F DF3D70D7 9C1E813E D78E79C7
02030100 01A36F30 6D300F06 03551D13 0101FF04 05300301 01FF301A 0603551D
11041330 11820F52 312E7465 64616374 2E6C6F63 616C301F 0603551D 23041830
16801439 3E27ECCE E810B254 66EA1C16 3213546A 2C345230 1D060355 1D0E0416
0414393E 27ECCEE8 10B25466 EA1C1632 13546A2C 3452300D 06092A86 4886F70D
01010405 00038181 001AE204 00263DC0 F478478D 94CD33B9 CFCC4685 16D3EC89
0EE17A28 709F7B2A 7060A2C1 C851D34C 4A5A5E82 428E5101 2CF2E90D FFBAC276
81B09ADF BDA33EC5 E6EB5F38 13613C88 15D43E93 F40F6C53 2C92AE4E 0F169075
0964F08C DB2A0F71 BFAC9BF0 C51A92BC CC7B93A3 D6AEEBAF 50AEBF71 E3F8BFAE
E9FB1AB8 726902D1 78
quit
license udi pid CISCO2911/K9 sn xxxxxxxxx
!
!
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx.
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx.
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
!
class-map type inspect match-all VLAN_TO_WAN_CLASS
description VLAN_TO_WAN_CLASS
match protocol pop3
match protocol imap
match protocol smtp
match protocol icmp
match protocol echo
match protocol ssh
match protocol http
match protocol ftp
match protocol https
match protocol pop3s
match protocol imaps
match protocol imap3
match protocol irc
match protocol irc-serv
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
class type inspect VLAN_TO_WAN_CLASS
pass
class class-default
drop
!
zone security zx_1543423965
zone security zy_1027413455
zone security VLAN_10_ZONE
zone security VLAN_20_ZONE
zone security WAN_ZONE
zone-pair security zx-zy_1919797047 source zx_1543423965 destination zy_1027413455
service-policy type inspect-internal px-py
zone-pair security VLAN_10_TO_WAN source VLAN_10_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security FW_INT_REV_VLAN_10_TO_WAN_680015950 source WAN_ZONE destination VLAN_10_ZONE
service-policy type inspect-internal I_VLAN_TO_WAN_POLICY
zone-pair security VLAN_20_TO_WAN source VLAN_20_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security FW_INT_REV_VLAN_20_TO_WAN_3879632611 source WAN_ZONE destination VLAN_20_ZONE
service-policy type inspect-internal I_VLAN_TO_WAN_POLICY
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description NOT USED
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/0.1
description VLAN 10 CompanyA
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN_10_ZONE
no cdp enable
!
interface GigabitEthernet0/0.2
description VLAN 20 CompanyB$ETH-LAN$
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/0.3
description VLAN 30 AP
encapsulation dot1Q 3
ip address 10.10.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/0.100
description VLAN 100 Management
encapsulation dot1Q 100
ip address 10.10.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/2
description $ETH-WAN$
ip address 192.168.98.205 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security WAN_ZONE
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool with_overload 192.168.98.205 192.168.98.205 prefix-length 24
ip nat inside source list 7 pool with_overload overload
ip route 0.0.0.0 0.0.0.0 192.168.98.254
!
logging trap debugging
access-list 7 permit 10.10.10.0 0.0.0.255
access-list 7 permit 10.10.20.0 0.0.0.255
access-list 7 permit 10.10.100.0 0.0.0.255
access-list 7 permit 10.10.30.0 0.0.0.255
!
no cdp run

!
!
!
!
!
control-plane
!
!
banner exec ^C HOHO ^C
banner login ^CAuthorized access only!
^C
!
line con 0
timeout login response 300
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Re: Zone based firewall malfunction

Jennifer Halim — Fri, 04 Mar 2011 10:23:37 GMT

The followings are the ones that cause the failure:

1) "class-map type inspect match-all VLAN_TO_WAN_CLASS", it should say:

"class-map type inspect match-any VLAN_TO_WAN_CLASS" instead.

2) policy-map type inspect VLAN_TO_WAN_POLICY
class type inspect VLAN_TO_WAN_CLASS
pass

It should say "inspect" instead:

policy-map type inspect VLAN_TO_WAN_POLICY
class type inspect VLAN_TO_WAN_CLASS
inspect

3) You do not need the following if you only want outbound connectivity:

zone-pair security FW_INT_REV_VLAN_10_TO_WAN_680015950 source WAN_ZONE destination VLAN_10_ZONE
service-policy type inspect-internal I_VLAN_TO_WAN_POLICY

zone-pair security FW_INT_REV_VLAN_20_TO_WAN_3879632611 source WAN_ZONE destination VLAN_20_ZONE
service-policy type inspect-internal I_VLAN_TO_WAN_POLICY

Hope that helps.

Re: Zone based firewall malfunction

Tommy Svensson — Fri, 04 Mar 2011 14:13:47 GMT

Hi again.

I have now tried to solve it whitout succeeding. When i assign a zone to an interface it all goes down, the hosts on different VLANs cant ping eachother wich is good, but it cant ping anything out the WAN interface either. Hoping to get some pointers in the matter.

EDIT:
What do i need to configure for the router to have a standard firewall towards the Internet. The WAN interface is in the zone WAN_ZONE, do i need to specify a zone-pair for every WAN to VLAN connection? Like i do from VLAN to WAN.

It is a company hotel for more than 25 companies and if i have to make zone-pairs for every VLAN to WAN & WAN to VLAN possibility there is im gonna puke

The thing is that every company is going to have their own VLAN and i just want them to access the Internet and no other VLAN. Also i want the entire network to be as safe as it can behind my firewall. What do i need to do?

Regards Tommy Svensson

R1#show run
Building configuration...

Current configuration : 6983 bytes
!
! Last configuration change at 15:00:02 PCTime Fri Mar 4 2011 by iosoft
!
version 15.0
!
hostname R1
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.49
ip dhcp excluded-address 10.10.10.251 10.10.10.254
ip dhcp excluded-address 10.10.20.1 10.10.20.49
ip dhcp excluded-address 10.10.20.251 10.10.20.254
ip dhcp excluded-address 10.10.100.1 10.10.100.49
ip dhcp excluded-address 10.10.100.251 10.10.100.254
ip dhcp excluded-address 10.10.30.1 10.10.30.49
ip dhcp excluded-address 10.10.30.251 10.10.30.254
!
ip dhcp pool ccp-pool1
network 10.10.10.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.10.1
!
ip dhcp pool ccp-pool2
import all
network 10.10.20.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.20.1
!
ip dhcp pool Management
import all
network 10.10.100.0 255.255.255.0
domain-name Tedact.local
dns-server 192.168.98.2
default-router 10.10.100.1
!
ip dhcp pool AP
import all
network 10.10.30.0 255.255.255.0
domain-name Tedact.local
dns-server 192.168.98.2
default-router 10.10.30.1
!
!
no ip bootp server
ip domain name tedact.local
ip name-server 192.168.98.2
!
multilink bundle-name authenticated

username xxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
username xxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxx.
!
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
!
class-map type inspect match-any VLAN_TO_WAN_CLASS
match protocol icmp
match protocol echo
match protocol http
match protocol https
match protocol pop3
match protocol pop3s
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
match protocol ftp
match protocol ssh
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
class type inspect VLAN_TO_WAN_CLASS
inspect
!
zone security VLAN10_ZONE
zone security VLAN20_ZONE
zone security VLAN30_ZONE
zone security VLAN100_ZONE
zone security WAN_ZONE
zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE
zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE
zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description NOT USED
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/0.1
description VLAN 10 CompanyA
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN10_ZONE
no cdp enable
!
interface GigabitEthernet0/0.2
description VLAN 20 CompanyB
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN20_ZONE
no cdp enable
!
interface GigabitEthernet0/0.3
description VLAN 30 AP
encapsulation dot1Q 3
ip address 10.10.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN30_ZONE
no cdp enable
!
interface GigabitEthernet0/0.100
description VLAN 100 Management
encapsulation dot1Q 100
ip address 10.10.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN100_ZONE
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/2
description $ETH-WAN$
ip address 192.168.98.205 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security WAN_ZONE
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool with_overload 192.168.98.205 192.168.98.205 prefix-length 24
ip nat inside source list 7 pool with_overload overload
ip route 0.0.0.0 0.0.0.0 192.168.98.254
!
logging trap debugging
access-list 7 permit 10.10.10.0 0.0.0.255
access-list 7 permit 10.10.20.0 0.0.0.255
access-list 7 permit 10.10.100.0 0.0.0.255
access-list 7 permit 10.10.30.0 0.0.0.255
!
no cdp run

R1#

Re: Zone based firewall malfunction

Jennifer Halim — Sat, 05 Mar 2011 11:41:13 GMT

The reason why it's not working is because you haven't configured the service-policy to all the following zone-pair:

zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE
zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE
zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE

It should be configured as follows:

zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE

service-policy type inspect VLAN_TO_WAN_POLICY

zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE

service-policy type inspect VLAN_TO_WAN_POLICY

zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE

service-policy type inspect VLAN_TO_WAN_POLICY

zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE

service-policy type inspect VLAN_TO_WAN_POLICY

Since you only would like outbound connectivity, you only need to configure all the internal zones as the source with WAN_ZONE as the destination like you already configured. The opposite direction is not required unless they are going to host web servers/etc that needs to be accessible from the Internet.

Re: Zone based firewall malfunction

Tommy Svensson — Mon, 07 Mar 2011 10:09:06 GMT

Hi again.

I cant get it to work still. Hoping you could spot some fault in my running config.

Regards Tommy Svensson

R1#show run
Building configuration...

Current configuration : 7203 bytes
!
! Last configuration change at 11:03:09 PCTime Mon Mar 7 2011 by xxxxxxxx
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxx
!
no aaa new-model
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.49
ip dhcp excluded-address 10.10.10.251 10.10.10.254
ip dhcp excluded-address 10.10.20.1 10.10.20.49
ip dhcp excluded-address 10.10.20.251 10.10.20.254
ip dhcp excluded-address 10.10.100.1 10.10.100.49
ip dhcp excluded-address 10.10.100.251 10.10.100.254
ip dhcp excluded-address 10.10.30.1 10.10.30.49
ip dhcp excluded-address 10.10.30.251 10.10.30.254
!
ip dhcp pool ccp-pool1
network 10.10.10.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.10.1
!
ip dhcp pool ccp-pool2
import all
network 10.10.20.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.20.1
!
ip dhcp pool Management
import all
network 10.10.100.0 255.255.255.0
domain-name Tedact.local
dns-server 192.168.98.2
default-router 10.10.100.1
!
ip dhcp pool AP
import all
network 10.10.30.0 255.255.255.0
domain-name Tedact.local
dns-server 192.168.98.2
default-router 10.10.30.1
!
!
no ip bootp server
ip domain name tedact.local
ip name-server 192.168.98.2
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-530346110
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-530346110
revocation-check none
rsakeypair TP-self-signed-530346110
!
!
crypto pki certificate chain TP-self-signed-530346110
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35333033 34363131 30301E17 0D313130 32323430 37323030
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 30333436
31313030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CCC4DE13 6476A2A0 B05D718B BDA1BB42 953FED57 2F37490D BEF58A1B 8F4774A0
17F52B83 A48A59BC 46F1BFBA 68D2BBE3 66A40219 8B6FB14E 96424551 4AFB4598
C2F0E9DA 53946559 767A6468 88253DDF B42DEFA3 EF0693F2 E2B77B24 2EFD3F6C
620E1F33 3B994749 A9C1F5A9 63821FD4 0A0C808F DF3D70D7 9C1E813E D78E79C7
02030100 01A36F30 6D300F06 03551D13 0101FF04 05300301 01FF301A 0603551D
11041330 11820F52 312E7465 64616374 2E6C6F63 616C301F 0603551D 23041830
16801439 3E27ECCE E810B254 66EA1C16 3213546A 2C345230 1D060355 1D0E0416
0414393E 27ECCEE8 10B25466 EA1C1632 13546A2C 3452300D 06092A86 4886F70D
01010405 00038181 001AE204 00263DC0 F478478D 94CD33B9 CFCC4685 16D3EC89
0EE17A28 709F7B2A 7060A2C1 C851D34C 4A5A5E82 428E5101 2CF2E90D FFBAC276
81B09ADF BDA33EC5 E6EB5F38 13613C88 15D43E93 F40F6C53 2C92AE4E 0F169075
0964F08C DB2A0F71 BFAC9BF0 C51A92BC CC7B93A3 D6AEEBAF 50AEBF71 E3F8BFAE
E9FB1AB8 726902D1 78
quit
license udi pid CISCO2911/K9 sn xxxxxxxxxxxxx
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
!
class-map type inspect match-any VLAN_TO_WAN_CLASS
match protocol icmp
match protocol echo
match protocol http
match protocol https
match protocol pop3
match protocol pop3s
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
match protocol ftp
match protocol ssh
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
class type inspect VLAN_TO_WAN_CLASS
inspect
class class-default
drop
!
zone security VLAN10_ZONE
zone security VLAN20_ZONE
zone security VLAN30_ZONE
zone security VLAN100_ZONE
zone security WAN_ZONE
zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description NOT USED
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/0.1
description VLAN 10 CompanyA
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN10_ZONE
no cdp enable
!
interface GigabitEthernet0/0.2
description VLAN 20 CompanyB
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN20_ZONE
no cdp enable
!
interface GigabitEthernet0/0.3
description VLAN 30 AP
encapsulation dot1Q 3
ip address 10.10.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN30_ZONE
no cdp enable
!
interface GigabitEthernet0/0.100
description VLAN 100 Management
encapsulation dot1Q 100
ip address 10.10.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN100_ZONE
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/2
description $ETH-WAN$
ip address 192.168.98.205 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security WAN_ZONE
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool with_overload 192.168.98.205 192.168.98.205 prefix-length 24
ip nat inside source list 7 pool with_overload overload
ip route 0.0.0.0 0.0.0.0 192.168.98.254
!
logging trap debugging
access-list 7 permit 10.10.10.0 0.0.0.255
access-list 7 permit 10.10.20.0 0.0.0.255
access-list 7 permit 10.10.100.0 0.0.0.255
access-list 7 permit 10.10.30.0 0.0.0.255
!
no cdp run

R1#

Re: Zone based firewall malfunction

Jennifer Halim — Mon, 07 Mar 2011 10:21:56 GMT

Can you please advise what is failing?

How did you test? ping? http? do you try ping by ip address, http by ip address?

Also what is your source and destination ip address?

I am assuming that if you take the zone member off, Internet connectivity works fine?

Re: Zone based firewall malfunction

Tommy Svensson — Mon, 07 Mar 2011 10:25:15 GMT

I have a host on VLAN 10 with IP of 10.10.10.50 and i tried to ping google.com and browsing to http://google.com and it did not work. When i take away interface association to security zones it works again but no firewall is enabled on the interface.

Regards Tommy Svensson

Re: Zone based firewall malfunction

Jennifer Halim — Mon, 07 Mar 2011 10:27:20 GMT

Does ping to 4.2.2.2 work?

Re: Zone based firewall malfunction

Tommy Svensson — Mon, 07 Mar 2011 10:28:43 GMT

Yes it works!

Must be something with the DNS traffic i suppose cause pinging IP works just fine.

I can also ping 10.10.100.1, 10.10.20.1 & 10.10.30.1. Should i be able to do that?

Regards Tommy Svensson

Re: Zone based firewall malfunction

Jennifer Halim — Mon, 07 Mar 2011 10:30:23 GMT

Great,....

Looks like you are missing DNS inspection

Here we go:

class-map type inspect match-any VLAN_TO_WAN_CLASS
match protocol dns

Re: Zone based firewall malfunction

Tommy Svensson — Mon, 07 Mar 2011 10:42:15 GMT

As i said in previous post, i can still ping gateways of the other VLANs, such as from host 10.10.10.50 to 10.10.20.1 & 10.10.100.1. I cant ping the hosts on the VLAN, such as 10.10.100.50. How come? I tought i set the policy on the interface and it would prevent that kind of traffic.

Regards Tommy Svensson

Re: Zone based firewall malfunction

Jennifer Halim — Mon, 07 Mar 2011 10:45:18 GMT

Apart from ping, can you please try to see if you can telnet to 10.10.20.1 & 10.10.100.1 from 10.10.10.50?

Re: Zone based firewall malfunction

Tommy Svensson — Mon, 07 Mar 2011 10:48:21 GMT

Yes i can telnet to 10.10.20.1 & 10.10.100.1

I cant do a remote desktop from 10.10.10.50 to 10.10.100.50 however.

Re: Zone based firewall malfunction

Jennifer Halim — Mon, 07 Mar 2011 10:53:44 GMT

And just to confirm, you can remote desktop from 10.10.10.50 to 10.10.100.50 when the zone member is removed from the interface?

If you can, then self zone does not seem to be working.

BTW, before I proceed to create policy to self zone, what access would you like towards the interfaces?

Ping only from the directly connected subnet?

What about telnet?

What other access do you need towards the router interfaces? GUI?

Re: Zone based firewall malfunction

Tommy Svensson — Mon, 07 Mar 2011 12:01:55 GMT

Yes i can use remote desktop to 10.10.100.50 from 10.10.10.50 when the firewall is down but not after. As it should be, i dont want any connection between VLANs as companies will use their own VLAN only. But om wondering about if it should be possible to telnet to another subnets default gateway like 10.10.30.1. The thing is that the companies must not be able to acces eachothers machines, so the telnet possibility to the default gateway is not a problem, i will set it to use SSH and with a very strong password so its going to be hard to get access to the router.

Another thing im wondering about now is that if i have a functional firewall towards the "outside" or Internet? I have not specified any access into the network so im just wondering if its a default deny or something like that?

Regards Tommy Svensson

Re: Zone based firewall malfunction

Jennifer Halim — Mon, 07 Mar 2011 12:33:30 GMT

Absolutely correct, the default action from outside towards internal subnets would be deny by default. And if you do want access from the internet towards the internal hosts, you will still need to configure translation to a public ip address so it's accessible from the internet.

And yes, you are right. If you are happy with just acccess towards the router interfaces from the internal subnets, then we don't need to configure any self rule.

Re: Zone based firewall malfunction

Tommy Svensson — Tue, 15 Mar 2011 08:11:23 GMT

Hi again.

I have worked a bit with the router and i have now another problem with my firewall.. I was hoping you could help me thist time again.

My hosts on the different VLANs cant reach Internet. Does not awnser to ping or http/https. I cant ping my DNS on 192.168.98.2 from any IP inside any VLAN.

Regards Tommy Svensson

class-map type inspect match-any VLAN_TO_WAN_CLASS
match protocol icmp
match protocol echo
match protocol http
match protocol pop3
match protocol pop3s
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
match protocol ftp
match protocol ssh
match protocol dns
match protocol h323
match protocol tftp
match protocol ntp
match protocol irc
match protocol ircs
match protocol telnet
match protocol ldap
match protocol snmp
match protocol https
match protocol appleqtc
match protocol cifs
match protocol exec
match protocol h323-annexe
match protocol h323-nxg
match protocol icabrowser
match protocol icq
match protocol gtpv0
match protocol gtpv1
match protocol l2tp
match protocol ldap-admin
match protocol login
match protocol lotusnote
match protocol lotusmtap
match protocol ms-sql
match protocol ms-sql-m
match protocol msexch-routing
match protocol nfs
match protocol nntp
match protocol radius
match protocol pptp
match protocol realmedia
match protocol rsvp_tunnel
match protocol rtelnet
match protocol shell
match protocol sip-tls
match protocol sip
match protocol telnets
match protocol time
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
class type inspect VLAN_TO_WAN_CLASS
inspect
!
zone security VLAN10_ZONE
zone security VLAN20_ZONE
zone security VLAN30_ZONE
zone security VLAN100_ZONE
zone security WAN_ZONE
zone security VLAN1_ZONE
zone security VLAN2_ZONE
zone security VLAN3_ZONE
zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_1_TO_WAN source VLAN1_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_2_TO_WAN source VLAN2_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_3_TO_WAN source VLAN3_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description NOT USED
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/0.1
description VLAN_1_Native
encapsulation dot1Q 1 native
ip address 10.10.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN1_ZONE
no cdp enable
!
interface GigabitEthernet0/0.2
description VLAN_2_Company2
encapsulation dot1Q 2
ip address 10.10.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN2_ZONE
no cdp enable
!
interface GigabitEthernet0/0.3
description VLAN_3_Company3
encapsulation dot1Q 3
ip address 10.10.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN3_ZONE
no cdp enable
!
interface GigabitEthernet0/0.10
description VLAN_10_Company10
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN10_ZONE
no cdp enable
!
interface GigabitEthernet0/0.20
description VLAN_20_Company20
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN20_ZONE
no cdp enable
!
interface GigabitEthernet0/0.30
description VLAN_30_Company30
encapsulation dot1Q 30
ip address 10.10.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN30_ZONE
no cdp enable
!
interface GigabitEthernet0/0.100
description VLAN 100 Management
encapsulation dot1Q 100
ip address 10.10.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN100_ZONE
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/2
description WAN_INTERFACE
ip address 192.168.98.205 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security WAN_ZONE
duplex auto
speed auto
no mop enabled